• Data importers/recipients in the US must be certified under the UK Extension and appear on the EU-US Data Privacy Framework (DPF) list.
• Only US organisations subject to the jurisdiction of the US Federal Trade Commission (FTC) or the US Department of Transportation (DoT) are currently eligible to participate in the DPF programme. Those US organisations not subject to the jurisdiction of either the FTC or DoT — for example, banking, insurance, and telecommunications companies — are unable to participate in the DPF programme at this time.

Before transferring any personal data to the US, UK organisations must ensure the following:

1. Confirm that the recipient is certified under the DPF
2. Confirm that the organisation has adopted the UK Extension to the DPF
3. (If wishing to transfer HR data), confirm that HR data is covered by the organisation’s DPF commitments
4. Review the organisation’s privacy policies that apply to ensure that the relevant data is covered (for both non-HR and/or HR data)

If the UK Extension is not applicable to your data transfer, you will have to rely on other transfer tools, such as one of the pre-existing appropriate safeguards or one of the available derogations under Article 49 of the UK GDPR for international data transfers. A transfer risk assessment may also be necessary to validate your transfers.

The DPF List can be found here.

The UK-US Data Bridge factsheet for UK organisations can be found here.

The UK-US Data Bridge explanatory guide can be found here.

The UK Information Commissioner’s Opinion on the adequacy for the UK Extension to the EU-US Data Privacy Framework for the general processing of personal data can be found here.

Our previous blog post on the EU-US DPF can be found here.